Sasser (computer worm)

Sasser is a computer worm that affects computers running vulnerable versions of the Microsoftoperating systemsWindows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable network port (as do certain other worms). Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier.

Contents

Sasser was first noticed and started spreading on April 30, 2004. This worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the affected operating systems. The worm scans different ranges of IP addresses and connects to victims' computers primarily through TCP port 445. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called Sasser.B, Sasser.C, and Sasser.D appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writers reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.[citation needed]

Sasser was at first believed to have been authored in Russia by the same person(s) who created another worm usually referred to as Lovsan, MSBlast, or Blaster (due to the media), a connection indicated by code similarities between the two, but on 7 May 2004, 18-year old Germancomputer science student Sven Jaschan from Rotenburg, Lower Saxony was arrested for writing the worm. German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$250,000.

One of Jaschan's friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the Netsky worm, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.

Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. The worm itself had been released on his 18th birthday (29 April 2004). Sven Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, 8 July 2005, he received a 21 month suspended sentence.

An indication of the worm's infection of a given PC is the existence of the file C:\WIN.LOG or C:\WIN2.LOG on the PC's hard disk, as well as seemingly random crashes with LSASS.EXE on the screen caused by faulty code used in the worm. The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.

The shutdown sequence can be aborted by pressing start and using the Run command to enter shutdown -a. This aborts the system shutdown so the user may continue what he or she was doing. The shutdown.exe file is not available by default within Windows 2000, but can be installed from the Windows 2000 resource kit. It is available in Windows XP. A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to earlier; the shutdown time will move as far into the future as the clock was set back.